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Technical Field of the Invention 

The present invention relates to an electronic de- 
vice in which acceleration of data processing operations 
is provided, the device comprising a secure execution en- 
5 vironment to which access is controlled. The present in- 
vention further relates to a mobile communication termi- 
nal comprising the electronic device and a device for ac- 
celeration of data processing operations. 

10 Background Art 

Various electronic devices, e.g. mobile telecommuni- 
cation terminals, portable computers and PDAs, require 
access to security related components such as application 
programs, cryptographic keys, cryptographic key data ma- 

15 terial , , intermediate cryptographic calculation results, 

passwords, authentication means for externally downloaded 
data etc. Typically, it is necessary that these compo- 
nents, and the processing of them, is kept secret within 
the electronic device. Ideally, they shall be known by as 

2 0 few people as possible since a device possibly can be 
tampered with if its security related components are 
known. Access to these types of components might aid an 
attacker which has a malicious intent to manipulate a 
terminal . 

2 5 Therefore, a secure execution environment is intro- 

duced in which environment a processor within the elec- 
tronic device is able to access the security related com- 
ponents. Access to the secure execution environment, 
processing in it and exit from it should be carefully re- 

3 0 stricted. Prior art hardware comprising this secure envi- 

ronment is often enclosed within a tamper resistant pack- 
aging. It should not be possible to probe or perform 
measurements and tests on this type of hardware which 
could result in the revealing of security related compo- 
35 nents and the processing of them. 
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In order to protect data in the device, data resid- 
ing in permanent, i.e. non-volatile, memories should be 
encrypted. Data protection is highly desired, since a ma- 
licious person may try to access sensitive data in the 
5 device in case this person attains access to the device, 
e.g. by stealing it. Another scenario where attempts may 
be made to access sensitive data is when a Digital Rights 
Management (DRM) system is included in the device. This 
DRM system stores copyright protected contents and asso- 

10 ciated digital rights that determine what type of access 
a user has to the contents. The DRM system is thus used 
to protect the contents from being accessed by an unau- 
thorized user, misused and/or wrongly distributed. Since 
the contents and the rights have an economic value, the 

15 user may try to access the contents by bypassing DRM con- 
trol functions. Encryption of the data residing in perma- 
nent memory should be secure, efficient and low-cost. As 
mentioned hereinabove, in current device architectures, 
it is possible to handle security related components se- 

20 curely in the secure execution environment. However, this 
may be problematic and results in quite an amount of 
overhead in terms of transfers of data and control sig- 
nals, as secure entries to - and exits from - the secure 
execution environment must be undertaken when performing 

25 encryption operations. 

On the other hand, encryption can be made highly ef- 
ficient by using prior art hardware accelerators outside 
the secure environment. However, another problem arises 
in that it may then be possible for eavesdroppers to get 

3 0 ahold of security components, such as encryption/decryp- 
tion keys, from the accelerators, since the components 
consequently are in the clear. This may be solved by in- 
troducing security measures in the device, but will most 
likely require additional hardware and software and thus 

35 create unacceptable escalations of device costs. 
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Summary of the invention 

An object of the present invention is thus to pro- 
vide acceleration of data processing operations in the 
5 device, but outside the secure execution environment, to 
decrease the time required for data processing, in a man- 
ner such that secret cryptographic keys employed by the 
acceleration device are not exposed to the device user or 
an unauthorized third party. 

10 

According to a first aspect of the present inven- 
tion, an electronic device in which acceleration of data 
processing operations is provided, comprises a secure 
execution environment to which access is restricted, and 

15 which device further comprises an accelerator for accel- 
erating data processing operations, which accelerator is 
arranged with a first logical interface over which data 
to be processed is provided, and a secure second logical 
interface over which cryptographic keys employed in the 

2 0 operation of processing said data is provided. 

According to a second aspect of the present inven- 
tion, a mobile communication terminal includes a device 
according to the first aspect of the present invention. 
According to a third aspect of the present inven- 

25 tion, a device for acceleration of data processing opera- 
tions comprises a first logical interface over which data 
to be processed is provided, and a secure second logical 
interface over which cryptographic keys employed in proc- 
essing said data is provided. 

30 A basic idea of the present invention is to provide 

a device for acceleration of data processing operations 
(an "accelerator") . In particular, the accelerator is 
used to accelerate cryptographic data operations. To 
overcome the problems related to prior art accelerators, 

35 it is necessary to provide an accelerator which is ar- 
ranged such that it performs cryptographic operations on 
data provided to it via a first logical interface. The 
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cryptographic operations are performed by means of en- 
cryption/decryption keys provided to the accelerator via 
a secure second logical interface. To prevent en- 
tries/exits to the secure execution environment every 
5 time data is to be encrypted/decrypted, the accelerator 
is located outside the secure environment. 

The fact that the secure second logical interface is 
employed has the effect that the keys are not disclosed 
to the device user or an unauthorized third party. The 

10 term "logical" implies that the first and the second in- 
terfaces of the accelerator are separated, but not neces- 
sarily physically separated. It is sufficient that they 
logically can be separated such that it is not possible 
to access the first logical interface while transfers are 

15 made on the secure second logical interface. 

Ideally, only so called protected applications, 
which typically are small-size applications for perform- 
ing security critical operations inside the secure execu- 
tion environment, are allowed to handle secret crypto- 

20 graphic keys. Protected applications are applications 
that may be issued by trusted providers, in which case 
they must be authenticated, but they may also be issued 
by any third party, regardless of whether this third 
party is trusted or not. In the latter case, no authenti- 

25 cation occurs. It must be determined from the particular 
context whether the protected application must be issued 
by a trusted provider or not. Generally, applications 
that are arranged in such a way that they have, or are 
given, the power to jeopardize the security of the device 

3 0 should be trusted. 

Protected applications may be regarded as a part of 
a "normal" application executing outside the secure envi- 
ronment. Protected applications may also comprise appli- 
cations employed to implement standard functionality in 

35 the device. For example, protected applications are util- 
ized for booting the device and loading an operating sys- 
tem into it. It is desirable that not even the device 
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user, even though she cannot be considered to be an unau- 
thorized third party, is given access to the secret cryp- 
tographic keys. Possibly, a DRM system is implemented in 
the device, and since the digital contents - and the as- 
5 sociated digital rights - which are rendered by means of 
the DRM system, have an economic value, the user may try 
to access the contents by bypassing DRM control func- 
tions. Of course, there may be other reasons why a user 
should not be given access to the keys; the general secu- 

10 rity aspect must for example be taken into consideration. 

In normal device operation mode, the device proces- 
sor does not have access to security related data located 
within the secure environment. The security data includes 
cryptographic keys and algorithms, software for booting 

15 the circuitry, secret data such as random numbers used as 
cryptographic key material, application programs etc. Ac- 
cess to these security data and the processing of it is 
restricted. When testing and/or debugging the device, 
which typically is located in a mobile communication ter- 

20 minal, access to the security related data is not al- 
lowed. For this reason, the processor is placed in the 
normal, or "unsecure" , operating mode, in which mode it 
is no longer given access to the protected data within 
the secure environment. Consequently, in the normal mode, 

25 the processor, and the corresponding application it is 

executing, is not given access to the cryptographic keys 
of the accelerator. 

The present invention is advantageous, since the 
provision of encryption/decryption keys securely can be 

3 0 controlled, while the initiation of cryptographic opera- 
tions can be performed by normal application software 
executing outside the secure execution environment. In 
practice, normal applications see the accelerator as an 
ordinary hardware peripheral, which decrypts and/or en- 

35 crypts data as required. However, normal applications 

cannot procure sensitive security components associated 
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with the accelerator, such as the cryptographic keys it 
is using. 

Moreover, according to an embodiment of the inven- 
tion, protected applications may prevent normal applica- 
5 tions from accessing the accelerator at any time, for any 
reasons deemed necessary. For example, if it is discov- 
ered that the normal application has been tampered with. 

According to an embodiment of the invention, the de- 
vice processor can be set in one of at least two differ- 

10 ent operating modes. In the device, storage circuitry are 
arranged with at least one storage area in which pro- 
tected data relating to device security are located. The 
processor is given access to the storage area when a se- 
cure processor operating mode is set, and is denied ac- 

15 cess to said storage area when a normal processor operat- 
ing mode is set. The fact that the processor and the ap- 
plication which it is executing is, or is not, given ac- 
cess to the storage area is what defines the actual oper- 
ating modes. The processor is further capable of access- 

2 0 ing the secure second logical interface of the accelera- 

tor, when the secure processor operating mode is set. 

The accessing of the storage area in the storage 
circuitry defines the secure operation mode of the proc- 
essor. The storage areas that the processor can access 

25 while operating in the secure execution mode is referred 
to as the secure execution environment. As previously 
mentioned, these storage areas contain security related 
components such as e.g. application programs, crypto- 
graphic keys, cryptographic key data material, intermedi- 

30 ate cryptographic calculation results, passwords, authen- 
tication means for externally downloaded data etc. In the 
secure execution mode, the processor is capable of ac- 
cessing the secure interface of the accelerator, via 
which the cryptographic keys are provided. The processor 

3 5 is thus capable of adding keys to, or changing keys in, 

the accelerator. This is important, and highly advanta- 
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geous, since the security restrictions imposed on the de- 
vice in the normal, unsecure processing mode is severe. 

According to another embodiment of the invention, 
the first interface of the accelerator is accessible by 
5 any application, while the secure second interface of the 
accelerator is accessible by protected applications only. 
Typically, normal applications executed in the device 
processor, a digital signal processor of the device, or 
some other processing means in the device, sends data in 

10 the clear in to the accelerator, which encrypts the data 
with a secret encryption key received from the secure en- 
vironment and returns the encrypted data to the normal 
application. Hence, this implies that the processor is in 
its normal operating mode. In the normal operating mode, 

15 normal applications can exploit the accelerator services 
related to the encryption/decryption of data. It is* also 
possible that protected applications want to exploit 
these services. These protected applications has the 
authority to do so, and normal applications and protected 

20 applications may alternatingly request cryptographic 

services from the accelerator. However, when the proces- 
sor operates in the secure execution mode, only protected 
applications are allowed to execute. Thus, to access the 
secure second logical interface, the processor must oper- 

2 5 ate in the secure mode and execute a protected applica- 

tion . 

According to yet another embodiment of the inven- 
tion, the accelerator further comprises a configuration 
register arranged to indicate to the accelerator whether 

3 0 secure operation mode or normal operation mode is set by 

the processor, and in which configuration register it is 
further possible to set one of a plurality of possible 
encryption modes, the accelerator being arranged to oper- 
ate in the encryption mode set in the register. The use 
35 of the accelerator configuration register is advanta- 
geous, since the accelerator per se can differentiate be- 
tween the possible operating modes, and thus need not re- 
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quest mode verifications from the device processor each 
time it is to perform requested cryptographic operations. 
The register also enables the accelerator to be arranged 
with one physical interface providing the first and sec- 
5 ond logical interfaces. Moreover, the fact that different 
encryption modes can be set is advantageous, as it is 
possible to decide, on the fly, whether e.g. cipher block 
chaining (CBC) mode, electronic code book (EBC) mode, ci- 
pher feedback (CFB) mode, plaintext feedback (PFB) mode 

10 or any other encryption mode shall be used. 

Further features of, and advantages with, the pres- 
ent invention will become apparent when studying the ap- 
pended claims and the following description. Those 
skilled in the art realize that different features of the 

15 present invention can be combined to create embodiments 
other than those described in the following. 

Brief Description of the Drawings 

The present invention will be described in greater 
20 detail with reference to the following drawings, in 
which: 

Fig. 1 shows a schematic diagram of a device archi- 
tecture for providing data security in which architecture 
the present invention advantageously can be applied; 
2 5 Fig. 2 shows a schematic diagram of the device ar- 

chitecture for providing data security, further arranged 
with a removable smart card, in which architecture the 
present invention advantageously can be applied; 

Fig. 3 shows a schematic diagram of an accelerator 
30 implemented in the device architecture of Fig. 1, in ac- 
cordance with an embodiment of the present invention; and 

Fig. 4 shows a schematic diagram of an accelerator 
implemented in the device architecture of Fig. 1, in ac- 
cordance with another embodiment of the present inven- 
35 tion. 
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Description of Preferred Embodiments of the Invention 

A device architecture for providing data security is 
shown in Fig. 1. Such a system is further disclosed in 
5 the Applicant's international patent application publica- 
tion WO2004/015553 , which application is incorporated 
herein by reference. Circuitry for providing data secu- 
rity is implemented in the form of an ASIC (Application 
Specific Integrated Circuit) 101. The processing part of 

10 the architecture contains a CPU 103 and a digital signal 
processor (DSP) 102. The ASIC 101, is included in an 
electronic appliance 100 such as a mobile telecommuni- 
cation terminal, a portable computer, a PDA etc. and is 
considered to be the "brain" of the appliance 100. 

15 The secure environment 104 comprises a ROM 105 from 

which the ASIC 101 is booted. This ROM 105 contains boot 
application software and an operating system. Certain ap- 
plication programs residing in the secure environment 104 
have precedence over other application programs. In a mo- 

20 bile telecommunication terminal, in which the ASIC 101 
can be arranged, a boot software should exist, which 
software includes the main functionality of the terminal. 
It is not possible to boot the terminal to normal opera- 
ting mode without this software. This has the advantage 

25 that by controlling this boot software, it is also possi- 
ble to control the initial activation of each terminal. 

The secure environment 104 also comprises RAM 106 
for storage of data and applications, i.e. protected 
data. The RAM 106 preferably stores so called protected 

30 applications, which are smaller size applications for 

performing security critical operations inside the secure 
environment 104, but also objects such as cryptographic 
keys, intermediate cryptographic calculation results and 
passwords. Normally, the way to employ protected applica- 

35 tions is to let "normal" applications request services 
from a certain protected application. New protected ap- 
plications can be downloaded into the secure environment 
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104 at any time, which would not be the case if they 
would reside in ROM. Secure environment 104 software con- 
trols the downloading and execution of protected applica- 
tions. The protected applications can access any re- 
5 sources in the secure environment 104 and they can also 
communicate with normal applications for the provision of 
security services. 

In the secure environment 104, a fuse memory 107 is 
comprised containing a unique random number that is gene- 

10 rated and programmed into the ASIC 101 during manufactu- 
ring. This random number is used as the identity of the 
specific ASIC 101 and is further employed to derive keys 
for cryptographic operations. Further, storage circuit 
access control means in the form of a security control 

15 register is arranged in the secure environment 104. The 
purpose of the security control register is to give the 
CPU 103 access to the secure environment 104, or prevent- 
ing the CPU 103 from accessing the secure environment 
104, depending on the mode set in the register. Operating 

20 modes for the CPU 103 can be set in the register by ap- 
plication software, resulting in the fact that the archi- 
tecture does not have to rely on external signals. From a 
security viewpoint, this is preferable since by contro- 
lling the application software, the setting of processor 

25 modes can also be controlled. It is also possible to have 
an external signal (not shown) connected to the ASIC 101, 
by which signal it is possible to set the security con- 
trol register. By using an external signal, a mode change 
can be executed quickly and easily, which can be advan- 

30 tageous in test environments. A combination of these two 
mode setting means, i.e. application software as well as 
external signals, is feasible. 

The architecture further comprises a standard bridge 
circuit 109 for limitation of data visibility on the bus 

35 108. The architecture should be enclosed within a tamper 
resistant packaging. It should not be possible to probe 
or perform measurements and tests on this type of hard- 
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ware which could result in the revealing of security re- 
lated components and the processing of them. The DSP 102 
has access to other peripherals 110 such as a direct mem- 
ory access (DMA) unit, RAMs, flash memories and addi- 
5 tional processors can be provided outside the ASIC 101. 

Another embodiment of the device architecture for 
providing data security is shown in Fig. 2, wherein cor- 
responding reference numerals denote corresponding ele- 
ments as described in connection to Fig. 1. The differ- 

10 ence in the architecture shown in Fig. 2, as compared to 
the architecture illustrated in Fig. 1, is that the elec- 
tronic appliance 200 is arranged with a removable smart 
card 211, for example a SIM, which also may be considered 
to be a secure environment. For security purposes, the 

15 mobile terminal 200 and the smart card 211 store digital 
certificates issued by trusted certification authorities 
(CAs) . Certificates are used to ensure actors communicat- 
ing with the mobile terminal 2 00 and/or the smart card 
211 that the holder of a specific certificate has been 

2 0 authorized by the corresponding trusted CA. The CA signs 

the certificate, and the certificate holder must be in 
possession of the public key that corresponds to the pri- 
vate key of the CA to verify that a certificate signed by 
the CA is valid. Note that different devices can hold 
25 certificates from different CAs. In that case, the dif- 
ferent CAs must perform some communication with one an- 
other, for example exchange their own public keys. Cer- 
tificates are well known for those skilled in the art, 
and a well known standard certificate are the certificate 

3 0 contained in the CCITT recommendation X.50 9. 

Fig. 3 shows a device architecture as described in 
connection with Fig. 1, here with an accelerator 311 im- 
plemented. Again, corresponding reference numerals denote 
corresponding elements as described with reference to 
35 Fig. 1. In this embodiment, the accelerator is arranged 
with one physical interface 312. When the normal, unse- 
cure execution mode of the processor 303 is set, the 
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physical interface acts as a first logical interface over 
which data to be encrypted/decrypted is provided. How- 
ever, when the secure execution mode of the processor is 
set, the physical interface acts as a secure second logi- 
5 cal interface over which cryptographic keys employed in 
the operation of encrypting/decrypting data is provided. 
Further in this embodiment, the accelerator is provided 
with a configuration register 313 arranged to indicate to 
the accelerator whether secure operation mode or normal 

10 operation mode is set by the processor 303. This register 
is located at an address on the bus 308 to which the 
processor only is allowed to write if secure execution 
mode is enabled. Hence, only protected applications are 
allowed to set, alter or modify this register. If the 

15 register 313 is set in an adequate manner, i.e. the reg- 
ister is set with a predetermined code, keys can be writ- 
ten to the accelerator. 

Initially, when booting the ASIC 3 01 implemented in 
an electronic appliance such as a mobile communication 

20 terminal 300, the processor is made to operate in its se- 
cure execution mode and a protected application sets the 
configuration register appropriately, whereupon the pro- 
tected application can provide the accelerator 311 with 
cryptographic key(s) via the physical interface 312, 

25 which consequently acts as a secure second logical inter- 
face. After initialization, the protected application al- 
ters the configuration register 313 such that it is not 
possible, with the given configuration, to modify or 
change keys in the accelerator. Further, the protected 

30 application sets the processor 303 in the normal execu- 
tion mode and hands over operation of the device 3 01 to a 
normal application. The physical interface 312 hence acts 
as a first logical interface, and the processor can pro- 
vide the accelerator with data to be cryptographically 

35 processed. During operation of the ASIC 301, the crypto- 
graphic keys can be altered by the processor executing in 
the secure execution mode. 
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In the configuration register, it is further possi- 
ble to set one of a plurality of possible encryption 
modes (CBC, EBC, CFB etc) in which the accelerator is ar- 
ranged to operate . 
5 Fig. 4 shows a device architecture as described in 

connection to Fig. 1, here with another embodiment of the 
accelerator 411 implemented. Again, corresponding refer- 
ence numerals denote corresponding elements as described 
with reference to Fig. 1. In this embodiment, the accel- 

10 erator is arranged with two physical interfaces 412, 414. 
When the normal, unsecure execution mode of the processor 
403 is set, the first physical interface acts as a first 
logical interface 412 over which data to be en- 
crypted/decrypted is provided. However, when the secure 

15 execution mode of the processor is set, the second physi- 
cal interface acts as a secure second logical interface 
414 over which cryptographic keys employed in the opera- 
tion of encrypting/decrypting data is provided. The se- 
cure second logical interface is directly connected to 

20 the processor, and the processor is only allowed to write 
to the second interface if secure execution mode is en- 
abled. Hence, only protected applications are allowed to 
set, alter or modify the cryptographic keys. 

In this embodiment of the accelerator 411, ini- 

25 tially, when booting the ASIC 401, the processor is made 
to operate in its secure execution mode and a protected 
application sets the cryptographic keys via the secure 
second logical interface 414. After initialization, the 
protected application sets the processor 403 in the nor- 

3 0 mal execution mode and hands over operation of the device 
401 to a normal application. The processor can thus pro- 
vide the accelerator with data to be cryptographically 
processed via the first logical interface 412. 

In this embodiment of the accelerator, the accelera- 

35 tor may also be arranged with a configuration register 

(not shown) in which it is possible to set one of a plu- 
rality of possible encryption modes (CBC, EBC, CFB etc) 
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in which the accelerator is arranged to operate. This 
register may be set by the processor 4 03 via the secure 
second logical interface 414. 

Even though the invention has been described with 
reference to specific exemplifying embodiments thereof, 
many different alterations, modifications and the like 
will become apparent for those skilled in the art. The 
described embodiments are therefore not intended to limit 
the scope of the invention, as defined by the appended 
claims . 
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